The Web may be thought of as a global village where computers (hosts) are the buildings, and the world-wide computer network known as the Internet forms the streets. The computers have addresses (IP Addresses)consisting of four numbers separated by periods. Many hosts also have nicknames known as domain names. A Web site typically consists of a UNIX or Microsoft Windows based Web server that "serves" software or content to other computers at the Web site for temporary use. A Web site is not a single application, but a system that provides access to applications and data on the server itself, as well as inside an organization. A user utilizes a Web "browser" to access a Web server to access anything that the organization wants to make available, from general information, to transactions, to access to a customer database.
FIG. 1 illustrates a computer 100 executing a Web browser program 105 that is employed by a user to communicate over the Internet 110, in a special language called Hyper Text Transfer Protocol (HTTP) 115, with another computer 120 executing a Web server program 125 to obtain data. The most basic Web transaction involves the transmission of Webpages, written in HyperText Markup Language (HTML) from the Web server 125 to the Web browser 105. Upon request by the user at the Web browser 105, the Web server 125 translates the HTML-based Webpage into HTTP and sends it over the Internet 110 for display as a Webpage at the requesting browser 105. While Web Server 125 may contain encryption features such as Netscape's Secure Sockets Layer or S-HTTP, and a filtering router 130 may be employed between the Web browser 105 and Web server 125 for filtering out any messages that aren't HTTP Web traffic bound for the SWP, only HTTP 115 communications between Web server 125 and the Web browser 105 are protected.
HTML allows any word(s) on any Webpage to refer ("link") to any other Webpage. While Webpages do a very good job of displaying information in the form of text or images, they do not handle decisions, for example, confirming a correct password and providing for user access or provide more sophisticated functions such as placing an order for goods or services. Thus, a special programming interface known as Common Gateway Interface (CGI) 130 is employed to extend the capabilities of the Web server beyond Webpages alone, allowing a level of interaction that HTML alone cannot provide. A typical organization employs a combination of CGI applications and HTML to provide a desired service or product.
As an example, the banking industry may employ the Internet for on-line banking transactions at a virtual bank. In particular, customers at Web sites on the Internet communicate with a Web server situated outside of the virtual bank which then invokes a plurality of bank related CGI applications within the virtual bank to process requests related to data stored within a database within the virtual bank. For example, one CGI application may be employed for obtaining a balance from a checking account, transferring money from one account to another, or triggering an electronic bill payment. Often the CGI application is a simple front-end to a more sophisticated database server connected to a network internal to the organization (defined as an Intranet).
Netscape's Secure Sockets Layer (SSL) protocol, and/or EIT's Secure HTTP(S-HTTP) may be employed to provide security for HTTP communications between a Web browser and a Web server. SSL and S-HTTP provide encryption, authentication, integrity, and confidentiality of traffic between a client and a server.
Additional Internet security may be obtained through the use of a secure operating system. In particular, HP-UX 10.09.01 Compartmented Mode Workstation (CMW) sold by Hewlett-Packard Company provides an operating system that operates in accordance with a Mandatory Access Control (MAC) policy that governs the way data may be accessed on a trusted system. The MAC policy is a computerized version of the Department of Defense's long-standing multilevel security policy for handling classified information with labels that reflect sensitivity, to maintain those labels or files and processes in the system, and to prevent users not cleared for certain levels of classified information from accessing it. Under MAC, all information on the system is classified to reflect its sensitivity, all users are assigned clearances, and every application runs at a specific sensitivity level. Using the MAC policy, the operating system controls access based on the relative sensitivity of the applications running and the files they access.
Sensitivity labels are associated with every process (an active CGI application manifests itself as a process) and filesystem object, and are used as the primary basis for all MAC policy decisions. A sensitivity label represents the sensitivity of a process or a filesystem object and the data each contains. If an application and the file it attempts to access have compatible sensitivity labels, it can read, write, or possible execute the file. Each new process typically inherits the sensitivity label of its parent. For example, if a program is executed within a shell (for example, sh(1), csh(1), or ksh(1), the new process automatically inherits the sensitivity label of the shell process. New files always inherit the sensitivity label of the process that creates them. Once created, the system provides a special trusted program (the File Manager) that may be employed for changing the sensitivity label of a file. Most users are allowed to upgrade files (to change their sensitivity labels upward, so the new sensitivity label dominates the previous one), but are not allowed to downgrade files (to reduce their sensitivity label so the new label is dominated by the previous label), or to cross grade them (so that the new label is incomparable to the previous one).
The effect of the MAC policy is to rigidly control information flow in the system, from process to file to process, to prevent accidental or intentional mislabeling of sensitive information. To do that, the system compares sensitivity labels to determine if a process can access an object. Any time a process tries to read, write, or execute a file, the system examines the process and object sensitivity labels and consults its MAC rules. For each operation a process requests, the system determines if the process has mandatory read or mandatory write access to the object. Most restrictions that the MAC policy enforces can be summarized by the two following rules:
(1) mandatory read access: A process can read or execute a file, search a directory, or (subject to other privilege requirements) read the contents of other objects if the process's sensitivity label dominates the object's. All of these operations involve transferring data from the object to the process, so having such access is referred to as "mandatory read" access. PA1 (2) mandatory write access: A process can write to a file, remove or create an entry in a directory, or change any object's security attributes (including its sensitivity label), if the process's sensitivity label is the same as the object's. All of these actions involve transferring data from the process to the object, so having such access is called "mandatory write" access. The first rule prevents a user who is not cleared for classified information from seeing it. Rule two prevents a user with a high clearance from revealing information to other users with lower clearances.
There exists a need for a trusted operating system that sets up access controls that grant, person by person, authorization to perform different tasks, from viewing files to making changes in them to changing a computer network's configuration.
It would be desirable and of considerable advantage to provide a mandatory access control policy to segregate the Web server from the CGI application that differs from traditional methods employing a Web server and a firewall.
A bridge between the Web server and the set of CGI applications could be advantageous when implemented by use of a trusted gateway agent to take information from a Web browser's HTTP request to the Web server and make that information available to the appropriate CGI application specified in the HTTP request, especially if the trusted gateway agent works in conjunction with a mandatory access control policy to isolate the Web server and the CGI applications to limit the ability of the Web server to invoke the CGI applications directly.
It will be apparent from the foregoing that there is still a need for a trusted gateway agent that passes arguments or input data to the CGI application and returns data from the CGI application to the Web server.